Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 02:10
Static task
static1
Behavioral task
behavioral1
Sample
YoudaoDict.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
YoudaoDict.exe
Resource
win10v2004-20231215-en
General
-
Target
YoudaoDict.exe
-
Size
6.8MB
-
MD5
ff3d9c5dcde804a90e862de9c1d32a8c
-
SHA1
04b0da40346d661a11e9e899daec104ee77c6606
-
SHA256
a238bd522702802eb2a2b71b4b00a1a1553b1c2fff0d8b9e50b13e999cabbdf3
-
SHA512
288e716dd70bedd1cebdc7582f44d969050de9ffe387ae0b9363937fc41b62eedb1faba1fd0cead9a05ba96a880df4d00727e60cde2606a16849e8a5cf266ac3
-
SSDEEP
12288:IPvAXg30gk3yrkb+/nCSnilwUOSFaoAiTI2MHPwrQKUs6:IgpbOROQ3s6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
RG0M.exepid process 2796 RG0M.exe -
Loads dropped DLL 5 IoCs
Processes:
YoudaoDict.exeWerFault.exepid process 2232 YoudaoDict.exe 2232 YoudaoDict.exe 356 WerFault.exe 356 WerFault.exe 356 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 356 2796 WerFault.exe RG0M.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
YoudaoDict.exeRG0M.exedescription pid process target process PID 2232 wrote to memory of 2796 2232 YoudaoDict.exe RG0M.exe PID 2232 wrote to memory of 2796 2232 YoudaoDict.exe RG0M.exe PID 2232 wrote to memory of 2796 2232 YoudaoDict.exe RG0M.exe PID 2232 wrote to memory of 2796 2232 YoudaoDict.exe RG0M.exe PID 2796 wrote to memory of 356 2796 RG0M.exe WerFault.exe PID 2796 wrote to memory of 356 2796 RG0M.exe WerFault.exe PID 2796 wrote to memory of 356 2796 RG0M.exe WerFault.exe PID 2796 wrote to memory of 356 2796 RG0M.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YoudaoDict.exe"C:\Users\Admin\AppData\Local\Temp\YoudaoDict.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\RG0M.exe"C:\ProgramData\RG0M.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 7843⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\RG0M.exeFilesize
34KB
MD5d9aada6f62494ca56bd25f2e85a7c83e
SHA1edcae6515a4a7d0103dd9912619d0a5f1dff22a8
SHA256c9ddd33829716a997aa469613c9c1e392dca7a69a1d6ba18f83715d6d478a003
SHA5126ac7e580dbb27b9fbb9bbc4e641a94c7175e6e949af6063e0b9bae2a9ee8455d0444d69bf14b1c1df34216eb48a93d4eb2b6cfe53ecee6f375c06c7de74720b7
-
C:\ProgramData\RG0M.exeFilesize
94KB
MD51cb577533af5685407291ca4514fbb5f
SHA19350fe02453ef3269c051d304bae5bebb3598434
SHA25648b37ca4f70341edb22e893b2749f5d88adbfe996d8232173d98bb45e0b79a84
SHA512bb6791cea87e59f700e72b096d79bef4165f6fe541f3041fee060112f340673daeb71381dbd5064418601c2b8f631493eca948edd6909cf75e36193d58cc6666
-
\ProgramData\RG0M.exeFilesize
15KB
MD560c4687ad823974e94427443f9212fc1
SHA1d5b8c6735695ccfb62b37156019919f0db35d710
SHA256120282a97edd29ba7eb45bba23b275efa5f1d61da58bce0d8af5aed4d99f40af
SHA51279bbc68c45bdb97f72c3878c9d150a0e10f1c23a2c8b8eec9c43f8e7b76fe480b75f3078a12e3cc70f77fca854f9079ec8967b7f13a424613f4e91fb64cb4555
-
\ProgramData\RG0M.exeFilesize
29KB
MD524dc26c3bc1d3ccbef8487dd8bc1d53d
SHA1f67f087575f0fa2de379bd643943eac410bb16e0
SHA256d8eb58a5059325a6db2d4219e65a0f2d91002f243545f358d2df04c8959f9a35
SHA5125a93f567f37e0dbbe1a1fb4bc915a3f8f452202f6c5e1959393706fb303854935aa8b243a482879c712d900a67437e2744e91ab72942b3a4a404fa22607652a7
-
\ProgramData\RG0M.exeFilesize
20KB
MD5d32241e185378cee962bb408e6072aa9
SHA1532a85fef3358404c0010633b4c9987379930e20
SHA256bee1f1ee47cd0ed48b651dcb98301eabdb11f6f9784a922aec5bfeba62ed7b07
SHA512847bbeb1200fb339029857b412e583a210f72e437eed3973a90ec485adc769f8a4d39cc04230fe25e7f3161fcaa5aca659cabf31259e6a025763c61529bb9386
-
\ProgramData\RG0M.exeFilesize
85KB
MD5f8e1c0cfc43c820171eac3c65e51968f
SHA1aecd7b90e5562ec036b648343ae8f06cb490721d
SHA2564d114343854f08cfac300c9a75aad4359cc55b4a938547c1dd5c985c76f5924c
SHA5124feea233634e8957f8aa8875b3e4b0f41083ebb09bb6d562adafa52baf1ff8b21b98ad16c4faec8514349a8b9c29cfa08305ccfc88f845a9bf17075adb8c3300
-
\ProgramData\RG0M.exeFilesize
72KB
MD541a20819cced59e5867642b663142e15
SHA159a0176987fa35a4fcee8a52e69720cdf378d1b2
SHA25657174468e003f5c21adb949f2414f31fcf537f9655e01010a56ab08afcd15572
SHA512080043db9ac27566f885ba8b5e108e914339b4c02d0f909edec78033ce68213a7abc15a116d2a451d2461d9a1852c1992b859692cd426fc06eb466b8ba60d482
-
memory/2232-1-0x0000000074170000-0x000000007485E000-memory.dmpFilesize
6.9MB
-
memory/2232-0-0x0000000000F00000-0x0000000000F88000-memory.dmpFilesize
544KB
-
memory/2232-13-0x0000000074170000-0x000000007485E000-memory.dmpFilesize
6.9MB
-
memory/2232-10-0x0000000002390000-0x00000000023CD000-memory.dmpFilesize
244KB
-
memory/2796-12-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB